Transcription
CHAPTER3Call Home Installation andConfigurationThere are several types of Call Home configurations you can use on a Catalyst6500. This chapter shows three basic different configurations; the configurationsare Call Home configurations to: HTTPS Email to Smart Call Home Email to Transport Gateway and HTTPS to CiscoThe last section of this chapter explains the security considerations forconfiguring Smart Call Home when not using a Transport GatewayCall Home Configuration - HTTPSThe following is a sample configuration showing the minimum steps required toconfigure Call Home on a Catalyst 6500 to communicate securely with the SmartCall Home System using HTTPS and a command to start the registration process.All the following commands are displayed in red.Step 1Enable Call Home – In global configuration mode enter the service call-homecommand to activate the call-home feature and enter the call-home configurationcommand to enter call-home configuration mode.Cat6500#configure terminalCat6500(config)#service call-homeSmart Call Home User GuideVersion 2.03-1
Chapter 3Call Home Installation and ConfigurationCall Home Configuration - HTTPSCat6500(config)#call-homeStep 2Configure the mandatory contact email address Cat6500(cfg-call-home)#contact-email-addr username@domain-nameStep 3Activate the default CiscoTAC-1 Profile and set the transport option to HTTPCat6500(cfg-call-home)#profile 6500(cfg-call-home-profile)#destination transport-method httpStep 4Install a security certificate – Download the Cisco server certificate from cgi?CONTYPES AST-Forum .Step 5Configure a trust-point and prepare to enroll the certificate via the terminalusing copy and paste when prompted.Cat6500(config)#crypto ca trustpoint ciscoCat6500(ca-trustpoint)#enroll terminalCat6500(ca-trustpoint)#crypto ca authenticate ciscoEnter the base 64 encoded CA certificate.End with a blank line or the word “quit” on a line by itself[paste the certificate here and accept it]% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.% Certificate successfully importedStep 6Exit and Save the configuration Cat6500(config-cert-chain)#endCat6500#copy running-config startup-configStep 7Send a Call Home Inventory message to start the registration process Cat6500#call-homeSending inventoryPlease wait. ThisCall-home messagesend alert-group inventoryinfo call-home message .may take some time .is sent.Smart Call Home User Guide3-2Version 2.0
Chapter 3Call Home Installation and ConfigurationCall Home Configuration - Email to Smart Call HomeStep 8Receive an email from Cisco and follow the link to complete registration forSmart Call home.For information about troubleshooting HTTP destination errors seeTroubleshooting Call Home HTTP Destination Errors.Call Home Configuration - Email to Smart CallHomeThe following is a sample configuration showing the minimum steps required toconfigure Call Home on a Catalyst 6500 to communicate using email with theSmart Call Home System and a command to start the registration process. All thefollowing commands are displayed in red.Step 1Enable Call Home – In global configuration mode enter the service call-homecommand to activate the call-home feature and enter the call-home configurationcommand to enter call-home configuration mode.Cat6500#configure terminalCat6500(config)#service call-homeCat6500(config)#call-homeStep 2Configure the mandatory contact email address Cat6500(cfg-call-home)#contact-email-addr username@domain-nameStep 3Configure the mandatory email server information – The mail-server addressis an IP address or domain-name of a SMTP server that Call Home will send emailmessages to. If more than one mail-server address is configured for redundancythe mail-server priority is used to determine which server is the active primaryserver. Call Home will send messages to the active server with the lowest prioritynumber.Cat6500(cfg-call-home)#mail-server address priority server priority number Step 4Activate the default CiscoTAC-1 Profile and set the transport option toEmailCat6500(cfg-call-home)#profile CiscoTAC-1Smart Call Home User GuideVersion 2.03-3
Chapter 3Call Home Installation and ConfigurationCall Home Configuration - Email to Transport Gateway and HTTPS to cfg-call-home-profile)#destination transport-method emailStep 5Exit and Save the configuration Cat6500(config-cert-chain)#endCat6500#copy running-config startup-configStep 6Send a Call Home Inventory message to start the registration process Cat6500#call-homeSending inventoryPlease wait. ThisCall-home messageStep 7send alert-group inventoryinfo call-home message .may take some time .is sent.Receive an email from Cisco and follow the link to complete registration forSmart Call home -Call Home Configuration - Email to TransportGateway and HTTPS to CiscoThe following is a sample configuration showing the minimum steps required toconfigure Call Home on a Catalyst 6500 to communicate via a Transport Gatewaywith the Smart Call Home System using HTTPS and a command to start theregistration process. All the following commands are displayed in red.Step 1Enable Call Home – In global configuration mode enter the service call-homecommand to activate the call-home feature and enter the call-home configurationcommand to enter call-home configuration mode.Cat6500#configure terminalCat6500(config)#service call-homeCat6500(config)#call-homeStep 2Configure the mandatory contact email address Cat6500(cfg-call-home)#contact-email-addr username@domain-nameSmart Call Home User Guide3-4Version 2.0
Chapter 3Call Home Installation and ConfigurationCall Home Configuration - Email to Transport Gateway and HTTPS to CiscoStep 3Configure the mandatory email server information – The mail-server addressis an IP address or domain-name of a SMTP server that Call Home will send emailmessages to.Cat6500(cfg-call-home)#mail-server address priority server priority number Step 4De-activate the default CiscoTAC-1 Profile Cat6500(cfg-call-home)#profile CiscoTAC-1Cat6500(cfg-call-home-profile)#no activeStep 5Configure a user profile – The profile’s alert-group subscriptions will be similarto the default CiscoTAC-1 profile with the destination email transport-method andwith a destination email address which is for the email account used by theTransport Gateway.Cat6500(cfg-call-home)#profile Your profile fg-call-home-profile)#destination transport-method emailCat6500(cfg-call-home-profile)#destination address emailaccount for ubscribe-to-alert-group diagnosticseverity lert-group environmentseverity lert-group syslogseverity major pattern ert-group configurationperiodic monthly 23 lert-group inventoryperiodic monthly 23 15:00Step 6Exit and Save the configuration Cat6500(config-cert-chain)#endCat6500#copy running-config startup-configStep 7Download the Transport Gateway, Configure and Register it for Smart CallHome – Refer to the Smart Call Home Users’ Guide for further information onconfiguring the Transport GatewayStep 8Send a Call Home Inventory message to start the registration process Cat6500#call-home send alert-group inventorySending inventory info call-home message .Smart Call Home User GuideVersion 2.03-5
Chapter 3Call Home Installation and ConfigurationSecurity Considerations For Call Home ConfigurationPlease wait. This may take some time .Call-home message is sent.Step 9Receive the email from Cisco and follow the link to complete registration forSmart Call home -Security Considerations For Call HomeConfigurationThis section covers the following areas: Configuring Call Home When Not Using the Transport Gateway. Using AAA on the Catalyst 6500.Configuring Call Home When Not Using the TransportGatewayWhen not using the Transport Gateway follow the instructions listed below:Note The switch regardless of the protocol (HTTP/SMTP/HTTPS), always scrubssensitive information such as passwords and SNMP Community strings in theconfiguration before sending it over the wire. SMTP is not a secure protocol and hence is not the recommended method forsending Smart Call Home messages to the back-end server. The preferredmechanism is HTTPS, which is the default. The certificate of the Certification Authority must be installed on the switch,before HTTPS communication with the back-end server can occur.The Cisco server certificate used by Smart Call home needs to be installed on yourCatalyst 6500, even if you are already using HTTPS and have a server certificateinstalled; you need to install the server certificate for Smart Call Home. TheSecurity Certificate is available at the end of this User Guide. All the followingcommands are displayed in red.Smart Call Home User Guide3-6Version 2.0
Chapter 3Call Home Installation and ConfigurationSecurity Considerations For Call Home ConfigurationThe Security Certificate is installed using the crypto ca authenticate command.The sequence of commands used to install the CA certificate on the switch isgiven below.Cat6500(config)#crypto ca trustpoint ciscoCat6500(ca-trustpoint)#enroll terminalCat6500(ca-trustpoint)#crypto ca authenticate ciscoNoteEnter the base 64 encoded CA certificate.End with a blank line or the word “quit” on a line by itself[paste the certificate here and accept it% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.% Certificate successfully imported Table 3-1Depending on the configuration deployed by the customer, the protocols andports defined in Table 1 need to be allowed on the firewall between the statedsource and destination. In a typical configuration where the switches areinstalled on the internal network, this communication will be seamlesswithout a need for a configuration change on the firewall as the traffic willflow from the switch on the high-security internal network zone to theInternet on the low-security zone.Protocols and Ports without the Transport tSwitchCisco’s back-endserverHTTPS443Device to send SCH messages to the back-endserver – Option 1CatalystSwitchCustomer’s emailserver en routeto Cisco’sback-end serverSMTP25Device to send SCH messages to the back-endserver – Option 2Smart Call Home User GuideVersion 2.03-7
Chapter 3Call Home Installation and ConfigurationSecurity Considerations For Call Home ConfigurationCatalystSwitchCustomer’s Localweb server forCustomer to process and initiate actionHTTP80Device to send SCH messages to the customerserverUsing AAA on the Catalyst 6500If AAA is configured on the Catalyst 6500 then a user account with username callhome must be configured on the AAA server. The password options for theaccount may be defined by the server administrator.The following list contains all the currently supported authorization commands:config message: show module show version show install running (ION only) show running-config all show startup-config remote command switch show versiondiagnostic message: show module show diagnostic result module x detail show version show install running (ION only) show inventory show buffers show logging show diagnostic result module all remote command switch show versionSmart Call Home User Guide3-8Version 2.0
Chapter 3Call Home Installation and ConfigurationSecurity Considerations For Call Home Configuration show logging system last 100environment message: show module show environment show logging show powerinventory message: show module show version show install running (ION only) show inventory show idprom all remote command switch show version show diagbussyslog message: show loggingtest message: show module show version show install running (ION only) remote command switch show versionSmart Call Home User GuideVersion 2.03-9
Chapter 3Call Home Installation and ConfigurationSecurity Considerations For Call Home ConfigurationSmart Call Home User Guide3-10Version 2.0
Call Home System using HTTPS and a command to start the registration process. All the following commands are displayed in red. Step 1 Enable Call Home - In global configuration mode enter the service call-home command to activate the call-home feat ure and enter the call-home configuration command to enter call-home configuration mode.
